Check Point Research Detects Crypto Miner Malware Disguised as Google translate desktop and other legitimate Applications

New Delhi, September 2, 2022 - Check Point Research (CPR) discovers an active cryptocurrency mining campaign imitating “Google Translate Desktop” and other free software to infect PCs. Created by a Turkish speaking entity called Nitrokod, the campaign counts 111,000 downloads in 11 countries since 2019. The attackers delay the infection process for weeks to evade detection. CPR warns that attackers can easily choose to alter the malware, changing it from a crypto miner to ransomware or banking trojans, for example. 

• Campaign drops malware from free software available on popular websites such as Softpedia and uptodown.
• Malware is dropped from imitations of applications that are popular, but that do not have actual desktop versions, such as Google Translate 
• Victims seen are in UK, US, Sri Lanka, Greece, Israel, Germany, Turkey, Cyprus, Australia, Mongolia, and Poland

CPR has discovered an active cryptocurrency mining campaign that imitates Google Desktop Translate and other free software to infect PCs. Created by a Turkish speaking entity called Nitrokod, the campaign has claimed roughly 111,000 victims in 11 countries since 2019. 

The campaign drops malware from free software available on popular websites such as Softpedia and uptodown. And, the malicious software can also be easily found through Google when users search “Google Translate Desktop download”. After the initial software installation, the attackers delay the infection process for weeks, deleting traces from the original installation. 

Figure 1. Top results for “Google Translate Desktop download”

Undetected for Years

The campaign has successfully operated under the radar for years. To avoid detection, Nitrokod authors implemented some key strategies: 

• The malware is first executed almost a month after the Nitrokod program is installed
• The malware is delivered after 6 earlier stages of infected programs
• The infection chain is continued after a long delay using a scheduled task mechanism, giving the attackers time to clear all their evidence

Infection Chain

• Infection starts with the installation of an infected program downloaded from the Web
• Once the user launches the new software, an actual Google Translate imitation application is installed. In addition, an update file is dropped to disk which starts a series of four droppers until the actual malware is dropped
• After the malware is executed, the malware connects to its C&C (Command & Control) server to get a configuration for the XMRig crypto miner and starts the mining activity

Figure 2. Infection Chain Map 

List of Countries with Victims: 

• UK
• US
• Sri Lanka
• Greece
• Israel
• Germany
• Turkey
• Cyprus
• Australia
• Mongolia
• Poland

Quote: Maya Horowitz, VP of Research at Check Point Software: 

“We discovered a popular website that serves malicious versions through imitations of PC applications, including Google Desktop and others, which include a cryptocurrency miner. The malicious tools can be used by anyone. They can be found by a simple web search, downloaded from a link, and installation is a simple double-click. We know that the tools are built by a Turkish - speaking developer. 

Currently, the threat we identified was unknowingly installing a cryptocurrency miner, which steals computer resources and leverages them for the attacker to monetize on. Using the same attack flow, the attacker can easily choose to alter the final payload of the attack, changing it from a crypto miner to, say, ransomware or banking Trojan. 

What’s most interesting to me is the fact that the malicious software is so popular, yet went under the radar for so long. We blocked the threat for Check Point customers, and are publishing this report so that others can be protected as well.” 

Cyber Safety Tips: 

• Beware of lookalike domains, spelling errors in websites, and unfamiliar email senders
• Download software only from authorized, known publishers and vendors
• Prevent zero-day attacks with a holistic, end to end cyber architecture
• Make sure your endpoint security is up to date and provides comprehensive protection